Stolen Paradise Papers aren't making people or companies look good. Off-year election security. Trollhunting. Notes on the future of cyber conflict from CyCon 2017.
Dave Bittner: [00:00:00:12] Thanks once again to all of our supporters on Patreon. Just a reminder that at the $10 per month level you get a version of the CyberWire without the ads. It's the same show you know and love, just, no ads. So check it out, it's at patreon.com/thecyberwire.
Dave Bittner: [00:00:16:17] More on the Paradise Papers, where the optics are looking more Inferno than Paradiso. Off-year elections in the US are on today amid general concerns about, well, something doing something to them. Trollhunting sometimes brings down the wrong targets. Notes on the future of cyber conflict from CyCon 2017. The Internet's co-inventor says it's time to hold coders accountable for buggy software. And Facebook will keep your naughty selfies off the Internet. Promise.
Dave Bittner: [00:00:50:05] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence unless, maybe, it's machine learning. But it's not always easy to know what these could mean for you. So go to e8security.com/cyberwire and see what AI and machine learning can do for your organization's security. In brief, they offer, not a panacea, not a cure all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do it. So visit e8security.com/cyberwire, and see how they can help address your security challenges today. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:47:12] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, November 7th, 2017.
Dave Bittner: [00:01:57:20] As journalists and others continue to sift through the Paradise Papers, the large trove of documents stolen and leaked from Appleby, a Bermuda law firm serving high-net-worth individuals and various corporations, the optics aren't good. It's unclear that any laws were broken, except by the unknown parties who obtained the leaked documents by unknown means, but the appearance of widespread tax avoidance by offshoring wealth is an unpleasant one. Much comment is drawn by the appearance of prominent public figures, the British Royal Family, the Canadian Prime Minister, various British politicians and Russian oligarchs, US political figures who evidently had to do with Russian oligarchs, and so on.
Dave Bittner: [00:02:39:07] Apple is among the corporations mentioned in the leaks, and Apple says that its own use of various instruments available in the Channel Islands were not intended to avoid paying, for example, Irish taxes, but were in fact an effort to ensure that tax revenues properly went to the United States.
Dave Bittner: [00:02:57:04] It's election day in most US states. These are relatively minor elections, compared even to the midterm elections that will be held next year, still more so in comparison to the quadrennial Presidential elections. But these elections do have effects, and they're also the first regular elections to be held in the US since widespread concerns about foreign meddling surfaced in 2016.
Dave Bittner: [00:03:21:00] So state and local election authorities are keeping an eye out for finagling this week. Manipulation of vote totals and election outcomes are a much feared potential threat, but one that seems not to have materialized so far. Influence operations, on the other hand, have proven more than just a theoretical possibility. It's generally regarded as beyond question that Russian intelligence services have worked hard to sow doubt and mistrust around Western institutions, elections in particular.
Dave Bittner: [00:03:49:03] Thus social media providers, especially Facebook and Twitter, have been under public pressure to do something about the use of their platforms for influence operations. The difficulties of screening for obnoxious opinion have become well-known. It's not only extremely labor-intensive, and therefore expensive, but it's also subjective, has difficulty handling intentionality, and has also put free-speech advocates' backs up.
Dave Bittner: [00:04:13:24] Troll-hunting, on the other hand, especially when the trolls are sock puppets, catphish, or other fictitious personae, has seemed more promising. One Russian troll, a fictitious person known on social media as "Jenna Abrams," had around 70,000 followers and a couple thousand friends, and Jenna Abrams was being used to advance Russian government aims. There are a lot more like Jenna out there. And a number of real and innocent people have been booted from social media because the providers' algorithms or screeners mistook them for trolls or catphish. Some of those people have had their accounts restored, but others are still working their way back into the good graces of Menlo Park and San Francisco.
Wesley Simpson: [00:04:53:19] Everybody looks towards, you know, a few folks within your organization to fix everything, you know, to barely be that savior against somebody's nefarious activities, and so really, all eyes come on the security teams and the IT teams. But unfortunately, you know, the majority of these issues, the internal breaches, you know, come from the employees.
Dave Bittner: [00:05:15:13] That's Wesley Simpson, Chief Operating Officer at (ISC)2. He maintains that cyber security isn't so much a technical problem, as it is a people problem.
Wesley Simpson: [00:05:24:22] And most of those are accidental, they're not doing it on purpose. They're either sending information, external to the company, exposing some of their data or PII information unknowingly, or they're just clicking on links. It all just comes down to the basics, and some simple education about how employees should and should not act, whether they're in the workplace or at home.
Dave Bittner: [00:05:48:22] And so what are your recommendations for how companies can spread a company wide culture of good cyber security?
Wesley Simpson: [00:05:55:12] One of the things we really try to promote is to build in that enterprise mindset of having a cyber culture. And it really needs to be part of the daily lexicon within an organization. And it shouldn't only be spoken in the security teams or the IT teams, it really should be part of all teams and all departments, even so far as being, you know, a regular agenda item on staff meetings. It's not a one and done, you can't just roll out your annual security awareness training and then check that box and say we're done. This needs to be continual, it needs to happen, you know, throughout the year, it needs to be something that you can track, something that you can measure, and be transparent about it. You know, show the employees how they're doing, show them what they did good, and show them what they did wrong, and show them how to correct it. So you've really got to embrace the entire population of an organization. And every organization really needs to become a security organization, and that's really getting down to the basics and working with every individual and every team, about making that tie on how they really contribute to creating that cyber culture.
Dave Bittner: [00:07:07:11] Do you have any recommendations for how to put effective incentives in place? I hear a lot of people say that, you know, my bonus is not based on how I do with my cyber security.
Wesley Simpson: [00:07:18:03] Yeah. Yeah. So what you're getting at is really at the crux to make this thing successful in an organization. People work on, and people march towards those things that they're measured against, and it's usually typically their goals at the end of the year, and that usually has to do with some type of financial reward or merit or bonus, depending on how well they performed against those goals. So in order to change those types of behaviors and align those behaviors against the culture that you want, which is an improved, you know, security cyber mindset, you've got to create goals at the company level around cyber security, and what are some specific improvements and targets that you guys want to have as an organization. And being able to push those out, down to every single employee, to help align those behaviors to move the organization together down that path that you want to be able to accomplish.
Dave Bittner: [00:08:12:22] You know, I think about-- you see it at, you know, manufacturing organizations, they'll have a sign out on the shop floor that says, "It's been X number of days since we've had an accident here in the shop." Do we need those sort of signs in the break room that says "It's been X number of days since we've had a cyber breach?"
Wesley Simpson: [00:08:28:15] You know, I'm not going to say that's off the table. I will say that, you know, you-- companies have to figure out, one, how to make this less mysterious and really get this into being a true part of their culture that they really see how they tie back into it. So you've got to have that transparency. And one of the fun ways you can do this within companies is through these internal phishme exercises. So I'll give you an example. So our security team every month they do these mock up emails and they send them out company wide. That could be anything, you know, from a free cup of coffee or a free meal or gift card. And they do a really good job at making it look exactly like that company that they're trying to mimic. And then they measure. They measure, okay, how long does it take for people to click it? How many people clicked it? How-- is it coming down from a specific team or department? And so month over month, we hopefully are starting to see that we're getting better at it, as well as we're able to see, okay, what types of emails, what types of links are we continually clicking on and then having to bolster our education around those particular scenarios.
Dave Bittner: [00:09:48:13] And there's always Bob in Accounting who clicks on everything, right? [LAUGHS].
Wesley Simpson: [00:09:51:16] Yeah. [LAUGHS]. That-- no matter what you-- you could put the biggest sign out there, "Do not click on this link," and Bob's still going to click on it.
Dave Bittner: [00:10:00:22] And that's Wesley Simpson from (ISC)2.
Dave Bittner: [00:10:06:00] CyCon is meeting in Washington, DC, today and tomorrow, and the CyberWire is attending. Organized by the US Army Cyber Institute and NATO's Cooperative Cyber Defense Center of Excellence, the conference's theme is the future of cyber conflict.
Dave Bittner: [00:10:20:05] Today's morning keynotes stressed some familiar themes, the reality of the cyber threat, the growing importance of cyberspace as an operational domain, the increasing rate of change, the centrality of artificial intelligence to future cyber operations and the importance of collaboration. None of this is news, but it's interesting to see the continuing consensus they express.
Dave Bittner: [00:10:42:16] A few highlights worth mentioning include Army Cyber Command's Lieutenant General Paul Nakasone's characterization of data as "the new high ground, the new key terrain." The US Army, he said, is working to push cyber capabilities to forward deployed forces. An important sign of this is the degree to which the Army now gives Brigade Combat Teams cyber elements to use in their regular rotations through training centers. And that is news. Military capabilities don't become real until they're exercised and this is as clear a signal as any that the US Army is serious about pushing cyber operations down to the tactical level in the battle space.
Dave Bittner: [00:11:21:04] Internet co-inventor Vint Cerf also spoke, and he said he was determined to be the bearer of bad news. We aren't winning. Cerf argued that we've overlooked or simply disregarded some approaches to better security that have been well-known for some years, hardware-enabled security among them. Above all he sees a quality problem in software, and says that we're unlikely to realize serious improvement in safety and security until we begin to impose liability and consequences for bad practices. "There must be a price to pay for doing a bad job," is how he summed it up.
Dave Bittner: [00:11:55:19] US Army Chief of Staff General Mark Milley closed the morning session with a historical account of changes in the character of warfare. He thinks we're in the middle of a change comparable to earlier revolutions in the conduct of war. Increased visibility and increased precision are producing increased lethality. The rapid advance in information technology and its swift dissemination into cyberspace as an operational domain have changed, fundamentally, the way we fight. And such changes aren't complete until they've produced a fusion of technology, doctrine, organization, and training.
Dave Bittner: [00:12:30:15] We'll have more on CyCon over the course of the week.
Dave Bittner: [00:12:34:03] To turn to other matters, another celebrity, this one described as a professional wrestling "diva," has been embarrassed by the posting of saucy pictures to the Internet. One might hope that, since this is a second occurrence, the celebrity's discomfiture is somewhat attenuated. But this kind of extortion and harassment are a real problem for many. It's often a coarse form of revenge. But Facebook now says it may have a solution. Give Facebook any risqué pictures of yourself and Menlo Park promises to pull them from the Internet when it sees them.
Dave Bittner: [00:13:07:19] Well, okay, then. But one can't help reflecting that here, as in so many other places, identity management is all. As one of our stringers who thinks about these things says, how will Facebook know the picture is of you, Joe Lunchbucket or Janie Sixpack, and not someone entirely different? Like, what's to prevent you from claiming to be, say, Jenna Abrams or even Carlos Danger? Well, hey, you've got the pictures to prove it, right? Right.
Dave Bittner: [00:13:42:14] Now I'd like to tell you about a new White Paper from our sponsor Delta Risk. More than 90% of companies are using the cloud. Although the benefits are clear, moving to the cloud comes with new and unique security challenges. In the White Paper, Understanding The Challenges Of Cloud Monitoring And Security, Delta Risk cloud security experts outline the key methods organizations can adapt, to gain clearer visibility into their network and critical assets. You can get your copy of the White Paper by visiting deltarisk.com/whitepapers-cloudmonitoring. Delta Risk LLC, a Chertoff Group company, is a global provider of cyber security services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com. And we thank Delta Risk for sponsoring our show.
Dave Bittner: [00:14:36:24] And joining me once again is Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, welcome back. You were recently in the Netherlands for a cyber security week conference and you came back with some thoughts that you wanted to share with us.
Emily Wilson: [00:14:51:04] I was. It was a fantastic week, a lot of good policy conversations, a lot of interesting pitches and vendor conversations and a lot of investments discussions. I was conducting an informal poll while I was there, asking people a few different things, depending on who I was talking to, but about the AlphaBay and Hansa takedowns just from a dark web perspective. But then some questions about Equifax and GDPR. I was interested to see as an American, how the Dutch and how some of the people from the UK were reacting to Equifax, what they were hearing about it, how it was being discussed in kind of major news organizations and how it was being discussed in the industry. The answers were, I suppose I would call them surprising.
Dave Bittner: [00:15:34:15] How so?
Emily Wilson: [00:15:35:17] I expected there to be more industry discussion around Equifax and more discussions around the implications of the breach or the implications of Equifax's security practices. But in fact, what I heard from most people was that it was being discussed largely as an embarrassment and more specifically around the executives who had sold stock. And that's what really was driving the conversations.
Dave Bittner: [00:16:02:04] And do you suppose perhaps because it wasn't a terribly sophisticated breach and that they got hit with a known vulnerability?
Emily Wilson: [00:16:09:20] Perhaps. I know that some people that I spoke to from the UK were a little bit more concerned about the potential fallouts and they were interested to see over time. You know, I think at that point we were still waiting to hear exactly how many people in the UK had been impacted. But really, people were discussing cyber security incidents closer to home which isn't surprising. There were a lot of conversations about WannaCry on the UK side and NotPetya in the Netherlands.
Dave Bittner: [00:16:38:17] How much did you see reflected in your conversations at what I perceive is a real difference in attitudes towards privacy between Europeans and Americans?
Emily Wilson: [00:16:46:19] There's definitely a real difference in attitude toward privacy both for individuals and also for companies and definitely at a national level, you know, whether it's discussions around GDPR or using these incidents as an opportunity to evaluate the role of government or where investment spending should be directed, whether it's helping businesses, whether it's building up, you know, national security infrastructure. Definitely different approaches, definitely different concerns.
Dave Bittner: [00:17:18:08] And I think it's going to be interesting, obviously, when GDPR kicks in, to see what the global impact's going to be.
Emily Wilson: [00:17:24:14] That was one of the questions I was asking while I was there of, you know, again, a number of different people about how people expect GDPR to actually be enforced? And how they expect to see it play out over the next, call it, next five years? In particular, you know, I think we all agree that, some major organization is going to get hit hard with some fines because of lack of GDPR compliance. But what is this going to look like for smaller organizations? The general consensus was that no-one is going to bankrupt a small company for a failure to comply. There's going to be a lot of leeway. But more than one person told me, and I think this isn't a surprise, that they expect to see at least one large organization used to make an example, pretty early on after the legislation is in place.
Dave Bittner: [00:18:14:07] Interesting to note as well that the GDPR regulations do not include any jail time, they are all fines.
Emily Wilson: [00:18:21:02] They are fines and, you know, the lack of jail time may be nice but the fines are not small, at least not as currently outlined.
Dave Bittner: [00:18:29:08] No, it's a good point. All right, Emily Wilson, thanks for joining us.
Dave Bittner: [00:18:34:24] And that's the CyberWire. For links to all of today's stories, along with the interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.
Dave Bittner: [00:18:52:18] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.